Privacy Requests

Audience

This API surface is for integration partners building on top of the Rokt network. Rokt ecommerce partners integrating placements on their own checkout should use the Rokt Ecommerce developer docs instead.

The Partnerships API exposes two privacy request surfaces. They are separate because they act on different subjects and use different downstream systems.

Use case	Endpoint	Subject	Idempotency
Network opt-out or network data deletion	POST /v1/partnership/network-privacy-requests	An end user of the Rokt network, identified by email, phone, or hashed email	No Idempotency-Key; retry only after backoff
Account-level data deletion	POST /v1/partnership/accounts/{account_id}/data-deletion-requests	A managed merchant account owned by your parent account	Requires Idempotency-Key; safe to retry with the same key

Choose the surface by subject

Use network-privacy-requests for a consumer asking to opt out of Rokt Ads or delete Rokt network data tied to their identifier. Use accounts/{account_id}/data-deletion-requests for deleting data tied to a merchant account that your platform manages.

Network privacy requests

Submit network opt-out and network data deletion requests with your API token and your parent account ID:

curl -X POST "https://accounts.rokt.com/v1/partnership/network-privacy-requests?parent_account_id=$PARENT_ACCOUNT_ID" \
  -H "Authorization: Bearer $ROKT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "requestType": "NETWORK_OPT_OUT",
    "email": "consumer@example.com"
  }'

The endpoint returns 202 Accepted after Rokt submits the request downstream. It does not create a partnership operation and does not return the standard response envelope.

X-Network-Privacy-Request-Iduuid

Rokt-generated privacy request ID for support and audit correlation.

requestIduuid

Same request ID in the response body.

statusstring

Current lifecycle state. Today the submitted state is submitted.

Identifier rules

requestType	Accepted identifiers	Rejected identifiers	Downstream action
NETWORK_OPT_OUT	Exactly one of email or phone	sha256Email; sending both email and phone	Submits an OPT_OUT to Rokt's privacy/consent service
NETWORK_DATA_DELETION	Exactly one of email or sha256Email	phone; sending both email and sha256Email	Sends the same network suppression action Rokt uses for deleted network user data

sha256Email must be a base64-encoded SHA256 digest, not a hex string.

curl -X POST "https://accounts.rokt.com/v1/partnership/network-privacy-requests?parent_account_id=$PARENT_ACCOUNT_ID" \
  -H "Authorization: Bearer $ROKT_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "requestType": "NETWORK_DATA_DELETION",
    "sha256Email": "kJbnntuJYvQBhPiiHQcz6OSn0EyvzVeOBmtsG2sWkyU="
  }'

If a consumer asks for both deletion and opt-out for the same email, one network deletion submission is enough. Rokt treats deleted network user data as suppressed from future ads eligibility.

Account-level data deletion

Submit account-level deletion for a managed merchant account by passing the managed account_id, your parent account header, and an idempotency key:

curl -X POST "https://accounts.rokt.com/v1/partnership/accounts/$ACCOUNT_ID/data-deletion-requests" \
  -H "Authorization: Bearer $ROKT_TOKEN" \
  -H "X-Platform-Parent-Account-Id: $PARENT_ACCOUNT_ID" \
  -H "Idempotency-Key: $(uuidgen)"

Rokt validates that the parent account owns the managed account before submitting the request to the Data Deletion account API. The request body is empty; the target account is taken from the path.

The response uses the standard partnership envelope and returns 202 Accepted:

{
  "status": 202,
  "error": null,
  "message": "accepted",
  "request_id": "0e3a1b9c-1234-4abc-9def-aaaabbbbcccc",
  "data": {
    "requestId": "dad24980-de21-43e5-839b-cf66f840d9d1",
    "accountId": "<your-account-id>",
    "status": "submitted",
    "downstreamRequestId": "delete-account-1",
    "message": "Partnership account data deletion request submitted to the Data Deletion API."
  }
}

Capture both response headers:

X-Operation-Iduuid

Partnership operation ID. Poll GET /v1/partnership/operations/{operation_id} if your client loses the response or needs to confirm completion.

X-Partnership-Account-Data-Deletion-Request-Iduuid

Rokt-generated account data deletion request ID.

Dry-run

Add ?dry_run=true to validate auth, ownership, idempotency, and request routing without submitting to the downstream deletion service:

curl -X POST "https://accounts.rokt.com/v1/partnership/accounts/$ACCOUNT_ID/data-deletion-requests?dry_run=true" \
  -H "Authorization: Bearer $ROKT_TOKEN" \
  -H "X-Platform-Parent-Account-Id: $PARENT_ACCOUNT_ID" \
  -H "Idempotency-Key: $(uuidgen)"

Dry-run responses include dry_run: true, omit downstreamRequestId, and do not carry X-Operation-Id because no operation is persisted. Dry-runs burn idempotency keys, so use a fresh key for the real deletion request.

Data handling

The Accounts API acts as an authenticated ingress layer. It does not persist raw consumer identifiers for network privacy requests, and it does not persist downstream response bodies from the privacy downstreams.

Related

Idempotency Keys

Account-level deletion uses the normal partnership idempotency contract.

Operation Polling

Use X-Operation-Id to recover account-level deletion outcomes.